| CISA

Enable Active Directory (AD) Protected Users Security Group (CM0018)

In Playbook

Details

ID: CM0018
Version: 1.0
Created: 14 March 2025
Modified: 14 March 2025
Type: Enable
Status: Active

Intended Outcome

Enabling the Active Directory (AD) Protected Users security group restricts adversary lateral movement using protected user credentials.

Introduction

The Protected Users security group is designed as part of a strategy to manage credential exposure within the enterprise. Members of this group automatically have non-configurable protections applied to their accounts. Membership in the Protected Users group is meant to be restrictive and proactively secure by default. The only method to modify these protections for an account is to remove the account from the security group.

Preparation

Confirm that primary domain controller is running at least Windows Server 2012 R2.
Confirm that client computers are running at least Windows 8.1 or Windows Server 2012 R2.
If systems to not meet above criteria, protected user group will not be available.

Risks

This countermeasure can break legitimate functionality.
Adding Managed Service Accounts to "Protected Users" will break their functionality, by breaking Kerberos Constrained Delegation (KCD).
Responders are advised against this countermeasure for this reason.

Guidance

Add "Admin" to the Protected Users Group
Verify Protected User is Added
Best Practices

The Protected Users Group protections may be replicated to OSes below Windows Server 2012 R2 if a Windows Server 2012 R2 or above is the Primary Domain Controller emulator.
The Protected Users Group protections will not work for client devices that are NOT Windows 8.1.
Maintain situational awareness on authentication attempts by reviewing "Protected Users" user and failure logs.
Never add all privileged accounts to the Protected Users Group since there is potential to be locked out.

References

Guidance about how to configure protected accounts | https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/how-to-configure-protected-accounts
Ten things you need to be aware of before using the Protected Users Group | https://dirteam.com/sander/2014/11/25/ten-things-you-need-to-be-aware-of-before-using-the-protected-users-group/
Step-by-Step Guide to Active Directory "Protected Users Security Group" | https://www.rebeladmin.com/step-step-guide-active-directory-protected-users-security-group/
Protected Users Security Group | https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/protected-users-security-group